The Ultimate Guide to Hacking MacOS «Null Byte :: WonderHowTo

Apple's macOS operating system is as vulnerable to attacks as any Windows 10 computer or Android smartphone. Hackers can embed backdoors, avoid easy-to-use antivirus, and utilize USB memory to compromise completely with a MacBook. In this always-updated guide, we describe dozens of macOS-specific attacks that penetration testers should know about.

How do I hook up a MacBook?

When considering this issue, it's good to consider our proximity to the target Mac device. Our distance from the target unit varies and we get access to difficulties in the further distances we are. Whether we have physical access, share a Wi-Fi network with the device or have enough information to distance a social engineer that a user opens a backward program, determine how much effort an attacker needs to do to get a remote shell. [1

9659004] With this in mind, the following items are organized in an order based on proximity from the MacBook targets required to perform hacking.

We start by talking about different types of attack vectors and payloads that can be created for macOS. Thereafter, physical and USB flash-driven attacks are discussed, followed by network-based attacks, and how macOS targets can be compromised from anywhere in the world. Finally, we look at exploits and major vulnerabilities that the OS has suffered in recent years to give readers and bug bounty hunters an idea of ​​where the operating system's most alarming issues have been discovered.

2nd A Ruby Command to Replace Antivirus

For this hack, a Ruby payload is embedded in an AppleScript and designed to look like a regular PDF file. The fake PDF is then shared with the intended goal, which opens it and gives us the profit.

3. A Tclsh Command for Replacing Antivirus

The lesser known, but very powerful Tcl command is used to avoid antivirus and backdoor on a MacBook with just a few characters. The great thing about this attack is that it can handle sudden backdoor shutdowns.

4th Use Reset Mode to Extract and Break-Force Hash

Recovery Mode is used to extract a login hash and later brute-forced with Hashcat to reveal the password in plain text. The attacker could use a USB flash drive with another Mac computer to do the hard work or could simply create a temporary user on target Mac instead.

5th Use single user mode to configure a backdoor

Single-use mode is used to embed a Netcat listener in the target device and execute using cron at set intervals. This method is most effective where the target device allows incoming connections and shares a Wi-Fi network with the attacker.

6. Connecting to Backdoors from Anywhere

Improved according to the above article, this method completely prevents the target firewall and allows the attacker to control the MacBook when it moves between different Wi-Fi networks.

7. Break through FileVault Encryption

Some targets may have encrypted the hard drive with FileVault. While this prevents MacBook from compromising in a few seconds, it is not completely bullet-proof. It is possible to automate a password guessing attack against FileVault using the selected software and the Bash script.

Get a Shell with Trojan AppleScripts

Now, let's talk about embedding one-line uploads to AppleScripts.

AppleScript, currently included in all versions of macOS, is a scripting language that allows users to directly manage MacOS applications, as well as parts of MacOS itself. Each AppleScript application has an embedded drive. This makes AppleScript applications easy to one of macOS most formidable attack vectors.

Normally, AppleScripts allows users to create harmless scripts to automate repetitive tasks, combine features from multiple legitimate applications, and create complex workflows. But they can be abused by hackers to take control of a target operating system.

8. Create a Fake PDF Trojan with AppleScript

An introduction that covers creating an Empire stunt designed for AppleScript trojans. The stakes are later embedded in AppleScript. After you prepare a stager (or payload), the file extension and icon are spoofed to make .app look like a real PDF.

9.

Apple Drop is used to circumvent the limitations of Mojave's new security features by social technology aiming for a legitimate application requiring administrative privileges.

USB Drop Attacks

It may be It's not always possible to physically backdoor a MacBook. The second easiest way to compromise a goal is that social technology allows them to open trojan AppleScripts. This can be accomplished by performing USB drop attacks, which macOS is highly susceptible.

Experiments have taken place, which shows that almost 50% of people who find crooked USB flash drives put them in their computer. This makes USB drop attacks an effective method of getting a shell without touching the MacBook's dimensions.

The USB flash drive containing AppleScript should be strategically located somewhere. The intended goal will undoubtedly find it. This can be somewhere in their workplace, around the home or by sliding into the bag or backpack if it is possible to approach.

eleventh Spread Trojans and Pivots to Other Macs

Files found on a target's USB flash drive are changed and trojanized in an attempt to remotely transfer from one Mac to another.

12. Use a birthday card to download Wi-Fi password

While this article is not focused on macOS and focuses on capturing the target Wi-Fi password, social technology aspect can be applied to a MacBook -user. Using a greeting card to trick a goal to insert an SD card or USB memory into your computer can be used in many different scenarios with many different goals.

Network-based Attacks

MacOS isn & # 39; t immune to man-in-middle (MitM) or network-based attacks. Web traffic transfers between the MacBook and the router just like any other internet connected device. This traffic is easily manipulated and can be used to inject encryption scanners into target web browsers in real time.

Man-in-middle attacks have been dealt with in the following articles.

13. Inject Coinhive Miners In Public Wi-Fi Hotspots

A man-in-middle framework is used to inject JavaScript into the target browser. In addition, this article includes URL obfuscation to avoid certain adblock detections. This shows how hackers compromise the Wi-Fi network's coffee shops to force no malicious goals is to minecryptocurrency for them.

14. Flip Photos & Inject Messages to Browsers

Images in the target browser are manipulated in fun and obscene ways, using a man-in-center framework.

15. Snip Wi-Fi activity without connecting to the router

Packages are captured and analyzed without connecting to the Wi-Fi network. Like Windows 10 and smartphones, MacOS devices are affected and vulnerable to such attacks.

To protect users from malware, a developer ID is required to sign programs and get "trust" for macOS for apps to run. Unfortunately, anyone with a credit card can acquire a development ID and even share their malicious application with Apple's App Store.

App Store compromises made the first headlines of 2015 when many apps were detected ex filtering user data to an attacker's server. And again later, apps from App Store were removed to steal user data. And these are just the program shifts that have been discovered or revealed by independent security researchers. The actual extent of this vulnerability is unknown. For all we know, Apple removes shady apps every day without informing the public.

It's really not impossible or very difficult to compromise with macOS goals in different states or countries. It's a matter of being motivated enough to join Apple's developer ID software and simply pay for a certificate. In future posts, I can cover this topic in more detail and update this section of the article.

Installations by Attacks

Commands and Attacks Executed After Remote Access has been created, classified as Mail Utility Attacks. These attacks include situational awareness, data extrusion, secret desktop flow, microphone interception, privilege escalation, and data dumping to name a few. I have covered many reuse items as described below.

16. Perform Situation Awareness Attacks

A two-piece article that shows machine and software billing, ARP cache dumping, location of sensitive files, and identification of connected storage media. After establishing a remote shell, it is important for an attacker to develop an understanding of their physical and networking business.

17. Installing a Persistent Empire Backdoor on a MacBook

Netcat is used to increase the functionality of the attacker's primitive backdoor to a fully-equipped framework after exploitation.

18. Automate Screenshot Exfiltration

Screenshots of the target desktop are taken quite carefully to passively observe behavioral activity. Such information can be used to further compromise the target and is usually abused by blackhats for extortion that has caught embarrassing or compromising conversations and photos.

19. Secret Livestream Some Screen Remotely

The concept of observing behavioral activity to the next level flows the entire MacBook to the attacker's computer and is viewed in real time. This allows an attacker to see the target is every mouse click and keystroke without detection.

20. Real-time listening with microphone

MacBooks microphone is used to record conversations in the surrounding area and streamed to the attacker's real-time analysis system.

21. Sniff password on a Mac in real time

A two-piece article that shows how to easily and easily collect and exfilter a MacBooks unencrypted web traffic using a combination of tools like Netcat, Empire, Tcpdump, Tshark and Wireshark.

22. Dumpwords saved in Firefox browser remote

The passwords stored in Firefox are dumped using a low privileged backdoor with just a few commands. Knowing the goal's latest password, targeted glossary attacks are possible and the macOS login password can be brutally enforced.

Privilege Escalation Attacks

It may be desirable to raise remote permissions to modify sensitive files and directories. Root privileges allow an attacker to execute commands with almost no security restrictions. There are several common methods for escalating to root privileges, see below.

23. Perform Privilege Escalation

Files owned by a root user are detected to have overridden attributes and are exploited by an attacker by embedding a back door. Alternatively, an Empire Stager is used to enable a reference dial dialog and to trick the target to reveal its login password.

MacOS Zero-Days & Exploits

Hacking macOS does not end with the simple attacks outlined in this article. There are very sophisticated macOS vulnerabilities and exploitations currently used in nature.

For example, in 2017 Patrick Wardle disclosed a vulnerability that allows unauthorized applications to dumps and exfiles a user key ring with password in plain text. In September 2018, Patrick disclosed a vulnerability that called virtual mouse clicks without user giving, allowing an attacker to bypass any MacOS security feature that involved manual interaction with a messaging dialog. Again, just one month later, Patrick revealed a vulnerability that completely exceeds Mojave's latest security features.

The three vulnerabilities discussed only revealed by just one individual. It's not unreasonable to believe that a team of dedicated hackers can find similar challenges that have not yet been published.

New days are in extremely high demand these days. Not by blackhats, but by cybersecurity companies and professionals. At the time of this writing, sites like Zerodium will pay up to $ 80,000 USD for a MacOS or Safari exploit (as shown below). Other bug bounty programs offer millions of dollars for a single anniversary.

Image via Zerodium

And it does not end there. Vulnerabilities and application-specific exploits that do not create news headlines have appeared on Exploit Database at least once a month in recent years. There were nearly 40 vulnerabilities reported in 2017, including local escalation, memory information, and random execution of file execution.

How to Protect MacOS Attacks

There are certainly many ways to compromise with a macOS device. Below are some things that readers can do to identify and prevent such activity from happening to them.

Do not use strange USB flash drives . If you have stumbled on a USB flash drive that does not belong to you, do not use it. This is perhaps the best advice we can give. A well-placed USB memory can be the result of a well thought-out social attack against you or your employer. No matter how the USB flash drive is detected or what files appear to be on it – do not insert it into your MacBook.

Enable password protection for firmware . To prevent the attacker from starting up in a live USB device, user mode or recovery mode, set a password for firmware. Firmware software will only require additional password at startup if someone tries to boot the MacBook in single user, boot manager, target disk or recovery methods. However, a firmware password does not protect the hard drive if the disc is physically removed from the MacBook.

Do not double-click on files . It is always best to explicitly choose which application to use when opening files. Right-click the desired file and manually select an application from the "Open With" menu. You will find that AppleScript applications do not have an "Open with" option in the shortcut menu. This is because they are actually directories and can not be opened with applications like TextEdit.

View All File Name Extensions . The Unicode trick used to spy file extensions only works if "Show All File Name Extensions" is disabled, which is by default. Activate this setting by navigating to "Finder" in the menu bar, then "Settings" and check the option under the "Advanced" tab. . The file extension will be forced and can not be spoofed.

List files on the USB flash drive . When in doubt, use Terminal to list ( ls ) files on the USB flash drive. File extensions can not under any circumstances be spoofed here. Use this command with -l to print the contents of the USB flash drive in a list format and -a to display all files on the USB flash drive, including hidden files.

Check for suspicious files . Start demons and directories used by macOS include / Library / LaunchDaemons, / Library / LaunchAgents, and / Users / / Library / LaunchAgents. Files in these directories can be inspected by opening Terminal, with commands cd and ls to switch to the desired directory and display the contents. The launchctl command can be used to disable any suspicious demons and remove with the rm command.

Use Private Browser Mode . Dumpzilla can do a lot more than just extracting passwords from Firefox. It is safer to use the private browser mode 100% of the time. Although it may be inconvenient and surfing the Internet painfully, it is actually quite dangerous to transfer as much data to browsers. Browser data dumps that contain dozens of e-mail addresses and passwords are shared freely in black hack hack mice. If hackers do not sell your data, they become chaos on your accounts for fun because it has no financial value for them.

Use a master password . If you save passwords in Firefox is a convenience you are not willing to give up, use a strong master password. This will provide a moderate barrier to hackers and can prevent them from learning all your passwords.

Use a correct password manager . Password managers offer improved password-protected protection. Hackers can still extrile and perform violent attacks against password manager's database, but with a strong and unique password, the attacker must spend weeks (or months) trying to crack the encrypted database.

That's it for the moment. We continue to update this roundup when we detect new macOS attack vectors. And until next time follow me on Twitter @ tokyoneon_ . And make sure to leave a comment below if you have questions!